Authorization?? pb Authentication against AD
Hello, trying to authenticate wireless users against Active Directory using freeradius 2.0.2-3. I can authenticate users using EAP-PEAP or EAP-TLS. First question: is EAP system mandatory to authenticate against Active Directory? - i follow the this HOWTO (http://wiki.freeradius.org/Syslog_HOWTO), so "wbinfo" and "Ntlm_Auth" function properly like the HOWTO says - user "glouglou" with password "glouglou" exists in AD. On authentication attempt against AD, i have thoses messages that i don't undertand so well: 1. Part of Log of Radiusd -X //////////////////////////////////////////////////////////////////////////////////////////////////// +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password WARNING: Deprecated conditional expansion ":-". See "man unlang" for details WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=PLUTON\glouglou mschap2: ca expand: --challenge=%{mschap:Challenge:-00} -> --challenge=b7b4f66d1ed49fa6 expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1f96c63c6a98e87af339d1226e5feef41e327666f3ccd175 Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [PLUTON\\glouglou/<via Auth-Type = EAP>] (from client Access_Point_DWL-8500AP+_A1_L1 port 1 cli 00-12-F0-0C-97-61) } # server (null) //////////////////////////////////////////////////////////////////////////////////////////////////// 2. "Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)" //////////////////////////////////////////////////////////////////////////////////////////////////// Part of /var/lib/samba files: ------------------------------------ # aaa:/var/lib/samba # ls win* # winbindd_cache.tdb winbindd_cache.tdb.bak.old # winbindd_cache.tdb.bak winbindd_idmap.tdb # winbindd_privileged: # pipe # aaa:/var/lib/samba # ------------------------ # aaa:/var/lib/samba # ll winbindd_privileged/ # total 0 # srwxrwxrwx 1 root root 0 Jun 25 16:17 pipe aaa:/var/lib/samba # I am not so expert at Linux stuff. but i think it could just be an authorization problem. and i really don't know if some other stuffs are needed to authenticate against AD. may i have some advices? thank you all for your responses ************************************************************************** ENTIRE LOG BELOW: ---------------------------------------- rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=49, length=168 User-Name = "PLUTON\\glouglou" NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020a001401504c55544f4e5c676c6f75676c6f75 Message-Authenticator = 0xf46afa6cebe1a6532bda4720c452b684 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 10 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 49 to 10.10.44.246 port 1027 EAP-Message = 0x010b00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56748010567f99f247f2f989f1c443b2 Finished request 50. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=50, length=246 User-Name = "PLUTON\\glouglou" NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020b005019800000004616030100410100003d03014864e9ca6f5373caeef782f84ee725f6fd57b421fde7913f318d1f6ff0aac6c800001600040005000a000900640062000300060013001200630100 State = 0x56748010567f99f247f2f989f1c443b2 Message-Authenticator = 0x71516277d5597dd13b90fa56bfc8a9e0 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 11 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0641], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 50 to 10.10.44.246 port 1027 EAP-Message = 0x010c040019c00000069e160301004a0200004603014864e8a53e27f6d97c706cd17f4501780c540984d8cc3a25921b0547b9042c75203997dfd8b795b86fac5393d5a7e5e95536f63ac703698b68336f4b1239ad13b300040016030106410b00063d00063a0002a6308202a23082020ba003020102020101300d06092a864886f70d010105050030818b310b3009060355040613024d41310e300c060355040813055261626174310e300c06035504071305416764616c310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f3112301006035504031409454e534941535f43413121301f06092a864886f7 EAP-Message = 0x0d01090116126d62615f6f796f6e65407961686f6f2e6672301e170d3038303530363134323832385a170d3039303530363134323832385a308188310b3009060355040613024d41310e300c060355040813055261626174310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f311c301a06035504031413454e534941535f5365727665725261646975733124302206092a864886f70d01090116156d62616f796f6e6540636172616d61696c2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100bb95115e0a9b09647fcc2cc822240624842ae80bd3b8d5fd51bb9b9d0e EAP-Message = 0xfc65f768a58d0fd976268b8cb576905b2ae47089e70356e3b6a539f8debc381b98ae9b242ca42e3d7d85b08a66dcc5b7268c10911676e6a4517dc3e2130ce9eaee01388f6fe3696ea193320635c4c677009c17e4f0c40e00c8fc2f969e8e20a53112b90203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181005b553acadf73c7b78ba5f4a1700cb2326eb6e26c93b948d763705b44812933f1df17131e87744577c1c01a6d4ade88fe6ce1133fac1dedcf14f2490070301fa3e9ddd96ff4fa143f0aa853e5e15a055c45f34c7e18b8c3fc135e3e7f22e49d6007287911a4806494e4 EAP-Message = 0xf548d12f4a8fcfbc11d49ec1a035f4013de94243c014b600038e3082038a308202f3a003020102020900bed8f7f713ad2741300d06092a864886f70d010105050030818b310b3009060355040613024d41310e300c060355040813055261626174310e300c06035504071305416764616c310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f3112301006035504031409454e534941535f43413121301f06092a864886f70d01090116126d62615f6f796f6e65407961686f6f2e6672301e170d3038303530363134313134375a170d3138303530343134313134375a30818b310b300906035504061302 EAP-Message = 0x4d41310e300c060355040813 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56748010577899f247f2f989f1c443b2 Finished request 51. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=51, length=172 User-Name = "PLUTON\\glouglou" NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020c00061900 State = 0x56748010577899f247f2f989f1c443b2 Message-Authenticator = 0x66d1a8307eaffc06f9a08c946ceaec4e +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 12 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 51 to 10.10.44.246 port 1027 EAP-Message = 0x010d02ae1900055261626174310e300c06035504071305416764616c310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f3112301006035504031409454e534941535f43413121301f06092a864886f70d01090116126d62615f6f796f6e65407961686f6f2e667230819f300d06092a864886f70d010101050003818d0030818902818100bf61b0669592b605195963d5382583d0e5115ccbdfe0f1c4ff9fcad9171f017d41eb27cf1d1a7a52db1c88665ce519c4f4bbb4ead5426825149fef16c52418fbdb933af73a051ebdd28373fa4879977d441d473f3dfd3ccd17874a1572cc1d4287290161798b EAP-Message = 0xc364ee28de1c671daa5f172ccdabb34b3d03f5da76857ff454950203010001a381f33081f0301d0603551d0e041604147526799856863b751619010ffc74602c7ab7565d3081c00603551d230481b83081b580147526799856863b751619010ffc74602c7ab7565da18191a4818e30818b310b3009060355040613024d41310e300c060355040813055261626174310e300c06035504071305416764616c310f300d060355040a1306454e5349415331143012060355040b130b43656e74726520496e666f3112301006035504031409454e534941535f43413121301f06092a864886f70d01090116126d62615f6f796f6e65407961686f6f2e667282 EAP-Message = 0x0900bed8f7f713ad2741300c0603551d13040530030101ff300d06092a864886f70d010105050003818100ab43dca4037042bca22b306a18b60eb9c28743208bc80727147bc80283ebe81cf182aaab8a9ffe8def8d30713c87d1135689ad72660efb61b0fcb8971dc37c36eb18ed6d32544026fe57b34bcbe819193341e0cebaa9b9c6d58d99a5af37557d1e9cb093a27658e7430cdc39fb2a3f331404807e4969fdc4f30a9963a997af1616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56748010547999f247f2f989f1c443b2 Finished request 52. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=52, length=358 User-Name = "PLUTON\\glouglou" NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020d00c01980000000b61603010086100000820080a09d13c7c124673a58b5dde71c8223571f9cd3414359c7818a4d8f95d7fdc04a4aeb3841ceaf9b6d39bab24619660043acc7277cc744ff6b020c4040f7f1ca7a50179053ee27dd5b5fbd8f8b373012f6bf0ee90b4fc1964de222bd63263efe014c0b6941347e5bc538d79ae23c8c99bc3440e6cf723969ab37c671db6715c0c614030100010116030100207ba294a9552ee15c39fb55bf3e8656293c7dab2a757dcf5b22f9c695fb33ab05 State = 0x56748010547999f247f2f989f1c443b2 Message-Authenticator = 0xea20985ef156f3ca1d289460bd9d2be1 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 13 length 192 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 182 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 52 to 10.10.44.246 port 1027 EAP-Message = 0x010e003119001403010001011603010020c345278c8df213925709e6088b0f731aab25a0d8385798c0a2c4db729262c8a6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56748010557a99f247f2f989f1c443b2 Finished request 53. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=53, length=172 User-Name = "PLUTON\\glouglou" NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020e00061900 State = 0x56748010557a99f247f2f989f1c443b2 Message-Authenticator = 0x2b8d1b169bbee8ce550ca9e214df3c94 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 14 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 53 to 10.10.44.246 port 1027 EAP-Message = 0x010f0020190017030100151d867f83da3241029a7114e888c7cf60babf0e02d0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56748010527b99f247f2f989f1c443b2 Finished request 54. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=54, length=209 User-Name = "PLUTON\\glouglou" NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020f002b190017030100206fe05a76b2fae56696fffa2228ce92c191ee66a85461f6090415af436ac843ca State = 0x56748010527b99f247f2f989f1c443b2 Message-Authenticator = 0xd09d1d3774b211590555be066a70a8d5 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 15 length 43 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - PLUTON\glouglou PEAP: Got tunneled EAP-Message EAP-Message = 0x020f001401504c55544f4e5c676c6f75676c6f75 PEAP: Got tunneled identity of PLUTON\glouglou PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to PLUTON\glouglou PEAP: Sending tunneled request EAP-Message = 0x020f001401504c55544f4e5c676c6f75676c6f75 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "PLUTON\\glouglou" NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" server (null) { +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 15 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server (null) PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x011000291a0110002410ca599c00d22c084762ea6a53c13a5d2b504c55544f4e5c676c6f75676c6f75 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x18e71c2c18f706a7a1507180b3671108 PEAP: Processing from tunneled session code 0x8193750 11 EAP-Message = 0x011000291a0110002410ca599c00d22c084762ea6a53c13a5d2b504c55544f4e5c676c6f75676c6f75 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x18e71c2c18f706a7a1507180b3671108 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 54 to 10.10.44.246 port 1027 EAP-Message = 0x0110004019001703010035956c4cf08a6ab0bfe1df4631b8fd06250693f7860a05c35348bd0b12064b45bc7dacfeccc8db66434df13655cdb562cecc68ed1886 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56748010536499f247f2f989f1c443b2 Finished request 55. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=55, length=263 User-Name = "PLUTON\\glouglou" NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02100061190017030100566d4d35418ad77fca42e9b02823f08213269331fae81fc0fc8c7c8d32df6d8353777e01f72461069c6b8ff46b8af9ae103b3652ba4a3a8cab3024aef70b6f5178fd21d6c680ab940da848bc70986816005ecde4d32124 State = 0x56748010536499f247f2f989f1c443b2 Message-Authenticator = 0x457d4f556b9681c25a43b1cbf68fa24c +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 16 length 97 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x0210004a1a0210004531574a3bb95c0c018b05e6c2ef8940230c00000000000000001f96c63c6a98e87af339d1226e5feef41e327666f3ccd17500504c55544f4e5c676c6f75676c6f75 PEAP: Setting User-Name to PLUTON\glouglou PEAP: Sending tunneled request EAP-Message = 0x0210004a1a0210004531574a3bb95c0c018b05e6c2ef8940230c00000000000000001f96c63c6a98e87af339d1226e5feef41e327666f3ccd17500504c55544f4e5c676c6f75676c6f75 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "PLUTON\\glouglou" State = 0x18e71c2c18f706a7a1507180b3671108 NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" server (null) { +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 16 length 74 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password WARNING: Deprecated conditional expansion ":-". See "man unlang" for details WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=PLUTON\glouglou mschap2: ca expand: --challenge=%{mschap:Challenge:-00} -> --challenge=b7b4f66d1ed49fa6 expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1f96c63c6a98e87af339d1226e5feef41e327666f3ccd175 Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [PLUTON\\glouglou/<via Auth-Type = EAP>] (from client Access_Point_DWL-8500AP+_A1_L1 port 1 cli 00-12-F0-0C-97-61) } # server (null) PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\020E=691 R=1" EAP-Message = 0x04100004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81930e0 3 MS-CHAP-Error = "\020E=691 R=1" EAP-Message = 0x04100004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 55 to 10.10.44.246 port 1027 EAP-Message = 0x011100261900170301001b1471747ad76849d8dbd00fc980acdd80e3ecab794abb3f1be839db Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56748010506599f247f2f989f1c443b2 Finished request 56. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.10.44.246 port 1027, id=56, length=204 User-Name = "PLUTON\\glouglou" NAS-IP-Address = 10.10.44.246 NAS-Port = 1 Called-Station-Id = "00-1C-F0-08-FB-F8:MoJo" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021100261900170301001bfa6d913e5662305d0263ee856da52043e1b236e5ffc5423828edc4 State = 0x56748010506599f247f2f989f1c443b2 Message-Authenticator = 0x84c6191562a7454ae511824190170812 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 17 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [PLUTON\\glouglou/<via Auth-Type = EAP>] (from client Access_Point_DWL-8500AP+_A1_L1 port 1 cli 00-12-F0-0C-97-61) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> PLUTON\glouglou ++[attr_filter.access_reject] returns noop Delaying reject of request 57 for 1 seconds Going to the next request Waking up in 0.8 seconds. Sending delayed reject for request 57 Sending Access-Reject of id 56 to 10.10.44.246 port 1027 EAP-Message = 0x04110004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 50 ID 49 with timestamp +160171 Cleaning up request 51 ID 50 with timestamp +160171 Cleaning up request 52 ID 51 with timestamp +160171 Cleaning up request 53 ID 52 with timestamp +160171 Cleaning up request 54 ID 53 with timestamp +160171 Cleaning up request 55 ID 54 with timestamp +160171 Cleaning up request 56 ID 55 with timestamp +160171 Waking up in 1.0 seconds. Cleaning up request 57 ID 56 with timestamp +160171 Ready to process requests. ---------------------------------------- _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
First question: is EAP system mandatory to authenticate against Active Directory?
No. EAP is there to increase security.
2. "Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)"
Read the list. This was discussed in last couple of days.
I am not so expert at Linux stuff. but i think it could just be an authorization problem.
No. As the debug message says - it's a problem with permissions. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ivan Kalik -
Reveal MAP